Description
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrect implementation in Chrome’s password handling module that existed before version 149.0.7827.155 permits a remote attacker to leak cross‑origin data through a specially crafted HTML page. The flaw is an insecure trust boundary (CWE‑863), meaning the browser trusted data from one origin to be safe for use in another, allowing confidential user data to be accessed by malicious pages.

Affected Systems

All desktop installations of Google Chrome older than 149.0.7827.155 are impacted, regardless of operating system, because the vulnerability originates in the core password component shipped with the browser.

Risk and Exploitability

With a CVSS score of 4.3 the weakness falls into the medium‑severity range. The reported EPSS is less than 1 % and the issue is not listed in CISA’s KEV catalog, indicating a low likelihood of widespread exploitation at this time. The attack requires the victim to visit a malicious web page that supplies a crafted form; therefore the primary vector is client‑side phishing or drive‑by attacks. While the impact is confined to confidentiality, it could enable attackers to harvest stored passwords and associated data for malicious use.

Generated by OpenCVE AI on June 17, 2026 at 17:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.155 or later.
  • Disable the built‑in password manager for sites that you consider sensitive until the update is applied, or restrict cross‑origin auto‑fill via site settings.
  • If immediate update is not feasible, use a sandboxed third‑party password manager that isolates credentials by origin to reduce the risk of leakage.

Generated by OpenCVE AI on June 17, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-863
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T10:53:40.448Z

Reserved: 2026-06-16T19:38:26.416Z

Link: CVE-2026-12446

cve-icon Vulnrichment

Updated: 2026-06-17T10:53:31.694Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T07:30:04Z

Weaknesses